Suggestions for improvement: We added a new logging mechanism to ds which is able to log failed attempts to alter / modify objects in a directory. A new set of configuration values is added. These match the nsslapd-audit config items in function, but they control the auditfail log. 'nsslapd-auditfaillog-maxlogsize' 'nsslapd-auditfaillog-logrotationsync-enabled' 'nsslapd-auditfaillog-logrotationsynchour' 'nsslapd-auditfaillog-logrotationtime' 'nsslapd-auditfaillog-logrotationtimeunit' 'nsslapd-auditfaillog-logmaxdiskspace' 'nsslapd-auditfaillog-logminfreediskspace' 'nsslapd-auditfaillog-logexpirationtime' 'nsslapd-auditfaillog-logexpirationtimeunit' 'nsslapd-auditfaillog-logging-enabled' 'nsslapd-auditfaillog-logging-hide-unhashed-pw' 'nsslapd-auditfaillog' 'nsslapd-auditfaillog-list' If the nsslapd-auditfaillog is *not* given, the fail events are logged into the audit log as well. Audit events now show the operation return code and reason for failure / success. If a plugin has the attribute in it's configuration nsslapd-logAccess nsslapd-logAudit The events generated by the plugin will go to the access and audit logs respectively. If auditfail is enabled, failures will be logged too. Additionally, the plugins now respect the global values: nsslapd-plugin-logging Which will cause all plugins to log their access and audit events.
Hi Will, I was comparing the list of attributes you provided above with the existing list of 'nsslapd-auditlog*' parameters in the Configuration, Command and File Reference, and I found some discrepancies. Can you please take a look and let me know if this is expected or if we're missing some attributes? The following attributes are available for auditlog, but do not have an equivalent in the list you provided for auditfaillog: * nsslapd-auditlog-logrotationsyncmin * nsslapd-auditlog-maxlogsperdir * nsslapd-auditlog-mode The following attribute is in your list for auditfaillog, but does not have an equivalent auditlog attribute: * nsslapd-auditfaillog-logging-hide-unhashed-pw The following attribute is documented for nsslapd-accesslog but not auditlog or auditfaillog or errorlog - although I suspect that might be OK: * nsslapd-accesslog-logbuffering Thanks!
ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE "nsslapd-auditfaillog-mode" ./ldap/servers/slapd/libglobs.c:1130: {CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL, ./ldap/servers/slapd/slap.h:1941:#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE "nsslapd-auditfaillog-mode" ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE "nsslapd-auditfaillog-maxlogsperdir" ldap/servers/slapd/libglobs.c:1162: {CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL, ldap/servers/slapd/slap.h:1945:#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE "nsslapd-auditfaillog-maxlogsperdir" ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin" ldap/servers/slapd/libglobs.c:297: {CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL, ldap/servers/slapd/slap.h:1960:#define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin" Appears to all be there. But it's missing from the 01core389.ldif. Saying this, nsslapd-auditlog-mode and co. are missing from the 389core.ldif too. What made you think they were missing? They just aren't part of the template dse.ldif, but if you add them they will work ...
The update for Directory Server 10.1 is now available on the Customer Portal.